Samourai Wallet operators charged over crypto mixer operations

Keonne Rodriguez and William Lonergan Hill, founders of the Samourai Wallet, were arrested and charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business. The charges relate to their operation of a cryptocurrency mixer that the DOJ says helped to launder over $2 billion in unlawful transactions. $100 million of that, they say, was connected to dark web markets including Silk Road and Hydra Market. Indeed, Samourai had actively marketed its products to "Dark/Grey Market participants".

Rodriguez was arrested in the United States; the United States will seek extradition for Hill, who was arrested in Portugal.

Samourai Wallet advertised itself as "a bitcoin wallet made for the streets", which would "keep your transactions private, your identity masked, and your funds secure". It touted features including "remote self-destruct", and would hide itself from a phone's applications list. As charges were filed in the United States, the wallet's website began displaying a seizure notice that informed visitors of a coordinated law enforcement action by the US Attorney's Office in the Southern District of New York, FBI, IRS, Europol, and Portuguese and Icelandic police. The app was also removed from the Google Play Store.

ZKasino rug pulls after raising $33 million

A project promising to build a decentralized casino managed to raise $33 million, despite an anonymous team that had exhibited several instances of shady behavior throughout ZKasino's development. The project promised that everyone who bridged ETH to their layer-2 chain would be able to receive their ETH back 1:1 in thirty days.

Instead, the project's creators transferred those more than 10,500 ETH ($33 million) to Lido, an Ethereum staking service. As for the "return" of funds, the project team indeed followed through with their promises to return the crypto... except instead of ETH, depositors received the project's native token, ZKAS, which would vest over a period of 15 months. The project announced that they had calculated the ZKAS distribution based on a discounted rate, "as a favour to our users who have bridged to participate in the ecosystem". Gee, thanks!

One investor in the project wrote, "We made a mistake investing in Zkasino early. ... [I]t sounds like a scam, but 95% of crypto consists of such crap. With memecoins pumping every day, people believe this could be the next one."

It seems that ZKasino's creators have links to other crypto scams, including a failed "ZigZagExchange", which raised around $15 million that was allegedly misallocated to work on the ZKasino project. Crypto sleuth zachxbt had also described the team as "proven bad actors" in December, listing multiple instances in which they had avoided making promised payments.

After the rug pull, the project's planned IDO on Ape Terminal and AIT Launchpad were canceled, and MEXC (which had invested in the project's seed round) canceled the token listing.

Hedgey Finance hacked for almost $45 million

Hedgey Finance, a platform used to manage token claims, lockups, and vesting, was hit with a flash loan attack that drained $44.7 million of customer funds from the platform.

The majority of assets were stolen from Hedgey on the Arbitrum layer-2 network, although around $2.1 million of them were stolen from the version deployed on the Ethereum mainnet.

Hedgey Finance confirmed the exploit, and sent an optimistic and congratulatory message on-chain: "Well done for finding it! We're assuming you executed this exploit as a white hat, so we'd like to get in touch with you to discuss next steps." No on-chain response thus far.

Hong Kong police arrest 72 people, freeze $29 million in connection to JPEX

Police in Hong Kong have arrested 72 people and frozen HK$228 million (~US$29 million) in connection to the collapse of the JPEX cryptocurrency exchange in September 2023. The South China Morning Post has described the collapse as the largest alleged fraud of its kind in Hong Kong.

According to Hong Kong police, they have received more than 2,600 complaints about JPEX, involving HK$1.6 billion (~US$204 million) in assets.

Avi Eisenberg convicted of $110 million Mango Markets heist

A jury found Avi Eisenberg guilty of fraud and market manipulation after he stole $110 million from the Mango Markets defi protocol in October 2022. Although he tried to argue that "code is law", and that his actions were legal as they were allowed by the project's smart contracts, jurors ultimately agreed with prosecutors that his manipulation of token prices constituted fraud.

Shortly after he was identified as the person behind the attack, Eisenberg tweeted that he "was involved with a team that operated a highly profitable trading strategy last week. I believe all of our actions were legal open market actions". Sadly for him, jurors didn't share this belief.

Eisenberg faces up to 20 years in prison.

Roger Stone endorses $TRUMP memecoin with misleading posts

Roger StoneRoger Stone (attribution)
Amid tweets alleging corruption among jurors in his 2019 criminal case, far-right activist and Trumpworld figure Roger Stone has posted several tweets endorsing "MAGA Memecoin", one of the many memecoins with the $TRUMP ticker. In several posts, he's suggested the token enjoys support from Trump himself, mentioning that the token is "the largest holding in Donald Trump's crypto wallet". "Donald Trump has at least $2M in @MAGAMemecoin in his crypto wallet - get yours- this cryptocurrency is going UP!", he wrote in another.

What he failed to mention is that the tokens in Trump's wallet were airdropped to him, likely without Trump even realizing it. Several of Trump's crypto wallets are publicly known, and people send coins and NFTs to them all the time. Trump has no more endorsed Stone's "MAGA Memecoin" than he has the "HarryPotterTrumpHomerSimpson777Inu" tokens that also sit in his crypto wallet.

Elsewhere, Stone disclosed, "My promotion of MAGAMemecoin is, of course, sponsored." I haven't been able to find where he has disclosed the amount he was paid for these promotions, as he is required to do.

$2 million emptied from Grand Base real world asset platform

Grand Base, a real world assets platform built on the Base layer-2 blockchain, has seen $2 million exit the platform in a hack or rug pull.

The team behind the project claimed that the deployer wallet had been compromised, allowing an attacker to drain the project's liquidity pool. Altogether, 615 ETH (~$2 million) was taken from the project.

Grand Base is a platform where users can trade "gAssets", which are crypto tokens that represent stocks in tech companies including Amazon, Apple, Google, Meta, and Microsoft.

tea.xyz causes open source software spam problems, again

The tea.xyz protocol first earned an entry on Web3 is Going Just Great in late February, when their plan to reward open source software contributors resulted in crypto enthusiasts with no intention of participating in OSS opening endless pull requests to claim ownership of prominent OSS projects. This spam was disruptive to said projects, whose (usually volunteer) maintainers had to figure out what was going on and then try to stop the spammy PRs.

Max Howell, the creator of tea.xyz (and creator of homebrew, though he's no longer involved), seemed apologetic, and promised to make changes to the protocol to stop this spammy behavior.

Now, deprived of that avenue, people are just creating massive waves of empty software packages, with nothing other than a "teafile" with their crypto wallet address for rewards, and submitting them to package managers like NPM and RubyGems.

This spam prompted a blog post from RubyGems, who wrote that they had to devote time to strengthening limits on package publishing and "ensuring [accounts] didn't disrupt the community further."

Security researchers at Phylum also wrote up the protocol's impact on the JavaScript world, which has seen as many as 7x as many packages published on NPM as previous daily averages. "Automated sustained spamming of this volume for months on end is rare and does nothing but cause heavy strain on the ecosystem itself, degrading the performance of the ecosystem for genuine users and straining open source security researchers," they wrote.

$26 million liquidated in surprise Pac Finance smart contract change

Pac Finance, a fork of the Aave lending protocol deployed on the Blast blockchain, surprised some of its users as an unannounced and unexpected code change lowered the liquidation threshold. Pac Finance said that they had asked an engineer to make changes to the smart contract, and that that person had unexpectedly decreased the threshold at which positions could be forcibly liquidated. This change resulted in $26 million being liquidated across the project.

Pac Finance has said they are "actively developing a plan with [impacted users] to mitigate the issue."

Australian NGS Crypto mining fund collapses

NGS Crypto, which sold "crypto mining packages" to interested investors, has been put into receivership. The Australian firm encouraged customers to set up a self-managed super fund — a type of retirement fund — to achieve returns they said were powered by crypto mining. The firms advertised returns of up to 16% annually, and promised that investors would receive 100% of their initial investment back at the term's completion — even "in the unlikely event that crypto mining becomes unprofitable".

NGS and its associated business is believed to have pulled in around AU$62 million (US$42 million) from around 450 Australians.

Australian DCA Fund collapses with up to $65 million owed to creditors

Liquidators have been appointed for three cryptocurrency companies owned by Ash Balanian. DCA Capital, Digital Commodity Assets, and the Digital Commodity Assets Fund have all entered liquidation after investors raised red flags about the fund's management and licensure.

So far, losses are estimated to affect around 100 investors, who have up to AU$100 million (US$65 million) in claims.

Balanian had boasted of his career experience as a former NASA mission planner, and targeted his fund to wealthy investors with a minimum initial deposit of AU$50,000 (~US$33,000).

Crema Finance and Nirvana Finance hacker sentenced to three years imprisonment

Shakeeb Ahmed, the hacker who stole a combined $12 million from Crema Finance and Nirvana Finance in July 2022, has been sentenced to three years in prison. Ahmed had previously worked for Amazon, where he led a bug bounty program focused on paying whitehat hackers to discover flaws in Amazon's software.

US Attorney Damian Williams described this as the first ever conviction for a smart contract hack.

Ahmed forfeited around $12.3 million in stolen funds, and will pay more than $5 million in restitution.

MarginFi suffers huge outflows amid CEO ragequit

The MarginFi decentralized lending project on Solana has been at the epicenter of some major drama recently, amid concerns around oracle problems, withdrawal failures, and accusations that the project has not been paying out its promised rewards. Much of this came from a Solana staking pool, SolBlaze; MarginFi responded by describing their allegations as a "hit piece" and "misinformation".

On April 10, CEO Edgar Pavlovsky tweeted that he had resigned from MarginFi, publicly calling that he "d[idn't] agree with the way things have been done internally or externally". Pavlovsky had been criticized for his response to the controversy around MarginFi, in which he had been argumentative and insulting, tweeting things like "take your money out, go fuck yourself" to those who accused him and MarginFi of malfeasance.

Amid the chaos, more than $210 million in TVL has exited the protocol.

SEC sends Wells notice to Uniswap

The US Securities and Exchange Commission issued a warning to the Uniswap decentralized exchange in the form of a Wells notice. Wells notices are used to inform the recipient of an impending lawsuit, and give them a last-ditch opportunity to convince the SEC that the suit is unwarranted.

The notice was received with an adversarial posture by Uniswap, who announced its receipt with a blog post titled "Fighting for DeFi". "Taking into account the SEC's ongoing lawsuits against Coinbase and others as well as their complete unwillingness to provide clarity or a path to registration to those operating lawfully within the U.S., we can only conclude that this is the latest political effort to target even the best actors building technology on blockchains," they wrote.

The news was met with outrage in the crypto community, who generally saw the action as indicative of an overly aggressive posture by the SEC to crack down on defi and crypto more broadly.

$23 million goes missing amid STFIL claims that they're being investigated

STFIL, a protocol that promises liquid staking and "leverage mining" to holders of Filecoin's FIL token, announced on Twitter that "We believe that the STFIL core technical team is under investigation by local Chinese police."

According to STFIL, while some of the core team members were detained by Chinese police, FIL tokens were moved to an unknown wallet. They also acknowledged that there had been "abnormal, unscheduled upgrades to the protocol". They asked their community members for help in tracking the wallet.

Some speculated that the story was fake, and that the project had stolen the funds. However, Chinese police have in several instances cracked down on people and companies involved in Filecoin-related projects, including an $83.3 million alleged pyramid scheme in August 2023 and a group of Filecoin Ponzi schemers in 2021. Filecoin mining became popular in China after its 2018 initial coin offering, and also became a magnet for Ponzi schemes and other scams.

MuskSwap and related projects exit scam for over $5 million

A person or group have raised funds for various crypto projects only to abandon them, empty the project wallets, and launder the funds through Tornado Cash. The largest of the projects was called "MuskSwap", which proclaimed: "$MUSK & MuskSwap was born to show admiration to elon musk's super projects like solarcity, tesla, space x and his constant influence on the world finance & the crypto market."

The project described itself as a DEX with a native $MUSK token, and launched in July 2021. However, the token tanked on December 25, 2021. Although the project team tried to blame the crash on "liquidity issues" and promised paths forward, they locked the project Telegram chat on March 11, 2022. On April 5, 2022, the team withdrew remaining funds and deleted the website.

Crypto analysis firm CertiK linked the MuskSwap project to several other scam tokens and projects: RocketDoge, InfinityGame, SpaceX, MUFC (themed after Manchester United), and Elona Musk. Altogether, the rug pulls have drawn in $5.1 million.

Bored Ape-themed fast food restaurant shuts down

It's hard to believe that the hamburger joint themed around the owner's Bored Ape NFT failed to take off. Although there was novelty value in the themed restaurant, which for a time boasted that it accepted cryptocurrency payments, the excitement seemed to wear off quickly after a few early news articles. After a while, the restaurant's crypto payments became spotty, with employees saying the system was unwieldy and unpopular among customers.

Some more recent Yelp reviews described fairly mediocre food, which "[t]he NFTs don't make up for".

The restaurant opened in April 2022, a month after owner Andy Nguyen purchased Bored Ape #6184 for $268,000, along with three Mutant Apes for an additional combined $187,000. #6184 became the restaurant's logo, and the others were incorporated into the restaurant's branding. The NFTs haven't been resold since, although it's unlikely they could recoup close to their original purchase prices — Bored Apes have been averaging a little under $50,000 in recent sales, and Mutants around $8,500 each.

Do Kwon and Terraform Labs found liable for $40 billion fraud

After hearing arguments that Terraform Labs was "built on lies" during a two-week-long trial, the jury in the civil case against the company and its founder Do Kwon found that both were liable for fraud.

Kwon and his company were behind the algorithmic stablecoin, Terra, which dramatically collapsed in May 2022, sending huge ripple effects throughout the ecosystem. He and his company had lied about the stability of the token, ultimately causing massive financial damage to the tune of around $40 billion.

Kwon is in custody in Montenegro after attempting to flee criminal cases in both the United States and South Korea. The civil case in the US proceeded without him.

SushiSwap team votes to give themselves control of much of the "decentralized" project's treasury

The leadership team behind SushiSwap, a popular defi platform, submitted proposals for a DAO governance vote that would transfer control of around $40 million from the DAO to a small centralized organization called "Sushi Labs". That organization would also receive all future airdrops awarded to SushiSwap. According to the proposal, this was motivated by a desire for efficiency and faster development.

The "yes" votes are currently in the lead with a 63% margin. The most yes votes came from sushigov.eth, the official SushiSwap team address, which also created the proposal. It is the first time that address has ever participated in a governance proposal.

The 5.5 million yes votes from the team wallet, plus another 3.1 million delegated from other community members, were enough to push the vote to majority support. A former SushiSwap contributor has also alleged that the SushiSwap team was manipulating the vote with additional wallets.

On Twitter, Sushi's "Head Chef" claimed that he had consulted with lawyers and then authorized the voting activity out of fear of an "extortative [sic] governance attack attempt".

Project promising to rug pull raises almost $29,000

A project describing itself as "The world's first memecoin pre-announced as a rugpull" was explicit in its marketing: "do not buy this coin, as it will go to zero."

Despite that, people sent the creator over 8.8 ETH (almost $29,000) for the project's "pre-sale", even as they repeated on Twitter that the project was a scam and that no one should buy it.

FixedFloat exchange hacked again

The FixedFloat cryptocurrency exchange was exploited again, this time for around $2.8 million. This follows shortly after a February 18 hack in which attackers made off with $26 million.

FixedFloat acknowledged the theft in a Twitter post, and blamed the same thieves. They claimed that this theft was enabled by a vulnerability in a third-party service.

Solana faces wave of drain attacks linked to trading bots including Solareum

The Solana ecosystem is grappling with a spate of drained wallets. A cause has yet to be definitively determined, but some of the thefts were linked to the use of trading bots like Solareum. Solareum speculated that the exploits may have been linked to compromised Telegram bot tokens, which could have allowed the attackers to obtain private keys from message history.

Solareum later wrote that they would be closing the project, and deleted their website. This drew some criticism from users who accused them of doing nothing to investigate the hack, or even being responsible themselves. The project wrote on Twitter, "We at #SOLAREUM team can clarify that we DO NOT steal money." Ah, well, in that case.

Other bots may have been involved in the theft, though it's not clear at this point. Though there was some speculation that a trading bot called BonkBot was to blame, that seems to have been unfounded.

The total theft amount is not clear, but exceeds $500,000.

Prisma Finance hacked for $12 million; attacker makes detailed demands

The defi protocol Prisma Finance was hacked for 3,257 ETH ($11.5 million). An attacker was able to take advantage of a flaw in the project's smart contracts, allowing them to manipulate users' positions and steal some of their collateral. Two other watchful attackers observed the attack strategy and replicated it, stealing a combined additional 173 ETH (~$610,000).

Plasma paused the protocol after detecting the attack.

The first attacker, who stole the bulk of the assets, sent an on-chain message to Prisma claiming that they had performed a "whitehat rescue", and inquired about returning the funds. In later messages, however, they asked the project to answer questions about their security practices and projects' responsibilities to users to prevent attacks. The attacker then transferred the stolen funds to Tornado Cash — indicating their return is unlikely.

In another message, the attacker was angry that Prisma had not expressed gratitude to them or remorse to their users, and was angry they had used terms like "exploit" and "attack" in their description of the incident. They demanded that the team reveal their identities, apologize, and thank the attacker in an online press conference.

Sam Bankman-Fried sentenced to 25 years in prison

Sam Bankman-FriedSam Bankman-Fried (attribution)
Sixteen months after the collapse of his FTX cryptocurrency exchange, Sam Bankman-Fried has been sentenced to 25 years in prison. He has also been ordered to pay an $11 billion monetary judgment.

The sentence follows his conviction on all seven felony charges in November 2022 — a decision reached by the jury within hours of beginning their deliberations.

Bankman-Fried intends to appeal the conviction.

  • Minute Entry for proceedings held before Judge Lewis A. Kaplan: Sentencing held on 3/28/2024 for Samuel Bankman-Fried [archive]

LENX co-founder accused of $10 million rug pull

The LENX cross-chain bitcoin liquidity protocol has recently been accused of a $10 million rug pull after community members observed massive withdrawals of treasury funds which were then sent to Binance accounts.

One of the co-founders, known only as "Paul", claimed on Discord that he was "trying to investigate" the movement of funds, which have been blamed on the project's other co-founder, John Kim.

Conversations on Discord suggest that a remaining $3 million in treasury funds were protected, and that the remaining LENX team may have been able to convince Binance to freeze the account that received stolen funds. However, little has been verifiably confirmed to date.

LENX is backed by the Frax Finance lending protocol.

KuCoin and founders criminally charged

The cryptocurrency exchange KuCoin and two of its founders, Chun Gan and Ke Tang, were indicted in the Southern District of New York on charges of conspiring to operate an unlicensed money transmitting business and conspiring to violate the Bank Secrecy Act. Both founders are Chinese citizens, and neither has been located or arrested.

According to prosecutors, they tried to conceal that the exchange had customers from the United States in order to claim that they were exempt from US anti-money laundering laws. They also marketed KuCoin as a KYC-optional exchange where customers from the US could operate unverified accounts.

The charges against the founders carry maximum sentences of five years in prison.

"Munchables" crypto game exploited for $62.5 million

A small round furry shape with big blue eyes and thin legs, somewhat resembling a soot spriteA Munchable (attribution)
The "Munchables" crypto game explains: "Schnibbles grow on every realm across the Munchable's world. Each realm has their own unique and distinctive schniblet, and the Munchables react differently based on their compatibility to the schniblets fed to them. When creating an account for the Munchables, you must choose the location of your snuggery." Right then.

Things went awry in the land of the schnibbles and snuggeries when an attacker siphoned around 17,400 ETH ($62.5 million). Various descriptions of the attack circulated, with blockchain sleuth zachxbt attributing it to a recently hired developer, and crypto developer 0xQuit claiming the theft appeared to have been "planned since deploy".

Some began discussing the possibility that the Blast layer-2 blockchain might forcibly roll back the chain to "undo" the hack. Some have argued this is contra to the crypto ethos or would set a bad precedent, while others have argued that as a blockchain focused more on gaming and experimentation and less on decentralization and other facets of crypto ideology, it would be a reasonable step.

Some hours after the attack, the exploiter was convinced to return the funds.

Curio RWA project suffers $16 million exploit

Curio, a crypto project that creates tokens based on "real-world assets" (RWAs) like cars, watches, wine, and other goods, has suffered an attack that saw around $16 million drained from the project's funds.

A bug in the project's Ethereum smart contract enabled an attacker to mint 1 billion of the project's CGT governance token. Although the tokens were notionally priced at around $40 million, the loss to the project was estimated at closer to $16 million.

Curio DAO announced that they intended to compensate users affected by the theft over a year-long period.

Solana memecoin frenzy sparks trend of incredibly racist meme tokens

A screenshot of many Solana tokens on DEXScreener, including:
JEWS "Jews did 911"
卐 "NAZI"
N*** TRUMP "N*** Trump"
N***OLAS "N***OLAS CAGE"
COVID "chinadidcovid"
N***Butt "N*** Butt Token"
APERAH "aperah wenfree"
BDN "Big Dick N***"
CHIGGA "Chinese N***"
HITLER "I was right"
BOJE "Book of J***ers"
WODNDOR "AuschwitzWoodenDoor"
LIBTARD "Go Woke Go Broke"
BULLJEW "BULL JEW"
wifcancer "kate wif cancer"
N*** TRUMP "N*** TRUMP 2024"
GayPedo "Gays Are Pedos"
J*** "J*** Buice"Racist Solana tokens on DEXScreener (attribution)
Solana memecoin trading has been booming lately, with people making money by speculating on tokens themed around various memes and jokes. Amid an explosion in trading innocuously-named meme tokens like dogwifhat has also been a rise in blatantly racist tokens, named after racial slurs, featuring racist caricatures, or named after antisemitic conspiracy theories.

The tokens became so popular that projects showing newly-released tokens, like DEXScreener, became full of such tokens. DEXScreener released a statement on Twitter to say that "We'll be reviewing our token profile moderation policy in the coming days. We won't be the gatekeepers of what happens on-chain, but we're definitely not here to spread hate." The replies to the tweet were, predictably, full of people accusing DEXScreener of "censorship" and "going woke".

Previously rug-pulled Lucky Star Currency project somehow rugs again

The astrology-based Lucky Star Currency project rug-pulled for $1.1 million in October 2023. You'd think that might be the end of it, but on March 22, 2024, ownership of the project was transferred to a malicious smart contract that then drained tokens priced at almost $300,000 from those who still held them.

You almost have to admire the tenacity.

TICKER project developer steals $900,000

Tweet by MIDA (@brgMIDA): "im not sorry for any of you, tbh
you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich, you were expecting to receive 10,100,1000x money for that donation or wtf, "they dont tell us it gonna 1000x when they are down the streets tho", cuz you would have otherwise mfer? go touch grass anon, and apply donating from hands to hands to people in needs in your closest physical community and turn the world a better place instead, i love you
social contracts do not have a place on the blockchain anons, i don't know why it is not much more evident for all of you"Tweet by TICKER thief (attribution)
A developer brought on to run a presale for the $TICKER token stole $900,000 from the project. 15% of the token supply was sent to the developer to distribute via an airdrop, but instead of doing so, the developer sold the majority of the tokens for around $900,000.

After the thief was identified by blockchain sleuth zachxbt, they posted a long message on Twitter, writing, "im not sorry for any of you, tbh. you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich". The thief later spent some of the money on Milady NFTs and memecoins.

zachxbt stated that he had identified the developer, including his full name, location, and other details. He encouraged those who were scammed to contact him if they were interested in pursuing legal action.

Super Sushi Samurai exploited by whitehat for $4.6 million

Super Sushi Samurai, a new blockchain game on the Blast layer-2 blockchain was exploited for $4.6 million when an attacker discovered a vulnerability in its smart contract. A bug in the mint functionality caused users who transferred their $SSS balance to themselves to receive twice as many tokens. An attacker took advantage of this to drain $4.6 million from the project, causing the $SSS token to plummet by 99%.

The attacker contacted the project shortly after the theft, claiming to be a whitehat. They wrote, "Hi team, this is a whitehat rescue hack. Let's work on reimbursing the users." Super Sushi Samurai later confirmed that the funds had been returned, minus a 5% "bounty". The team also gave the whitehat an additional 2.5% in SSS tokens and land, and brought them on to the project team as a tech adviser.

AirDAO exploited via social engineering attack

An attacker used social engineering techniques to gain access to the AirDAO project's liquidity pool. They then were able to drain 126.5 ETH (~$551,540) and 41.6 million AMB (notionally priced at around $500,000, but not very liquid). The thief then transferred the stolen tokens through various exchanges.

AirDAO announced the theft the following day, and stated that they were working to track and freeze stolen funds. They also offered the attacker a 10% "bounty" if they chose to return the stolen assets.

Dolomite exchange exploited for $1.8 million

The Dolomite DEX suffered a $1.8 million theft as an exploiter was able to take advantage of a vulnerability in a smart contract that had been deployed in 2019. Although most contemporary users of the exchange use a version deployed on the Arbitrum layer-2 network, the old contracts were still usable on Ethereum.

An attacker apparently discovered a reentrancy bug allowing them to drain user funds from those who had approved the old contract. Altogether, around $1.8 million was taken before the team disabled the contract. The attacker quickly tumbled the stolen funds through Tornado Cash.

SEC launches investigation into Ethereum Foundation

Fortune reported that the U.S. Securities and Exchange Commission has targeted the Swiss-based Ethereum Foundation for investigation, apparently in an effort to classify its ETH token a security. The report came out shortly after CoinDesk reported that a warrant canary had been removed from the Ethereum Foundation's website.

Although the SEC has agreed that bitcoin is a commodity and not a security, it has been hesitant to make similar explicit statements about ETH. Designation as a security could be devastating to the Ethereum project and to ETH, which is the second most popular cryptocurrency to bitcoin.

Bitcoin flash crashes on BitMEX

A "very small number of accounts" were able to crash the bitcoin price on the BitMEX exchange from its roughly $66,000 price to as low as $8,900. BitMEX attributed the incident to "aggressive selling behavior" by that small group.

The incident underscores the thinness of the bitcoin markets on some cryptocurrency exchanges, and the ease with which a few whales can manipulate token prices.

BitMEX used to be among the largest cryptocurrency trading platforms, though its popularity diminished after its founders were hit with criminal charges in 2020 for violations of the Bank Secrecy Act.

Slerf memecoin meltdown only adds to mania

People have gotten really into memecoin trading on Solana recently. Like really into it. Someone decided they'd hop on the bandwagon with "Slerf", a sloth-themed memecoin they said would launch with a 50% presale.

Thanks to the aforementioned frenzy, the project managed to raise $10 million in the presale. However, things went sideways when the developer accidentally burned the $10 million by sending them to an address where they would be permanently inaccessible. "oh fuck", the developer wrote ominously on Twitter, before explaining their mistake.

Some speculated that the screwup may have been a marketing ploy, in which case it was very successful, because the token went on to post more than $2.7 billion in trading volume over a 24-hour period — more than the entire ETH trading volume in that period. The monumental error by the developers seemed to have no damper on the overall frenzy around memecoins, or even produced the opposite effect.

Surely this trend won't end badly.

Wilder World game suffers $1.8 million theft, blames contractor

Wilder World is a blockchain-based racing game that uses all the buzzwords: blockchains, artificial intelligence, and metaverse. On March 16, someone with access to the project deployer's private key upgraded legacy contracts and transfer the project's $WILD and $MEOW tokens to themselves. Altogether, the attacker profited 515 ETH (~$1.8 million), which they then laundered through the Tornado Cash cryptocurrency tumbler.

The project blamed the theft on a previous contractor who had the private key. They also explained that the attacker seemed to be a developer based on the fact that they had "specialized knowledge of ZERO's internal security systems".

Phisher impersonating influential crypto trader in Twitter replies scams over $2.6 million

Tweet by real Ansem account: i dont launch coins bros, but i can give allo to good stuff in other ways soon
Tweet by fake Ansem account closely resembling the one above it: 
im about to launch my own token $BULL this weekend
link presale: [redacted link]
min 1 sol
max 3 sol
lets run it up yallAnsem impersonator responding to a tweet by the real account (attribution)
Someone impersonating Ansem, an influential crypto trader, was able to scam people out of more than $2.6 million simply by replying to the real Ansem's tweets. Using an account mimicking the real account, with only a slight difference in the username, a phisher convinced Ansem's followers that he was creating his own Solana memecoin and asked them to buy in.

In one of the real Ansem's tweets, Ansem wrote "i dont launch coins bros" — nevertheless, followers eager to get in early on a new memecoin clicked a link offering a presale and had their wallets drained.

Altogether, people lost $2.6 million to the scam. One individual lost $1.2 million.

Remilia Collective reports multi-million dollar hack

An anime style illustration of a person with green hair wearing a cat ears headband and light blue blouse with a peter pan style collar. At the bottom of the illustration are defense and attack points bars like in a card game.Milady #5539 (attribution)
"Charlotte Fang", the leader of the controversial Remilia project (known for its Milady NFTs), claimed he was hacked and drained of ETH and NFTs potentially worth several million dollars. Although the project's treasury used a multi-signature model, the private keys were stored in one password manager, which Fang says was compromised.

The attacker stole around 490 ETH (~$1.8 million) and $58,000 USDC, along with more than 130 Milady NFTs, 320 Remilio NFTs, and hundreds of derivative tokens issued on the NFTX platform. Based on floor prices, the assets are valued at north of $6 million.

The mechanism of the attack is still uncertain, though Fang has said he suspects malware that could have intercepted credentials to his Bitwarden password manager. Some have expressed skepticism around the "hack", suggesting it could have been inside job. The Remilia group had suffered a separate $1 million loss in September 2023 — blamed on a rogue developer — and failed to implement many security safeguards after that incident.

NFPrompt discloses hack

A Binance-incubated platform called NFPrompt claims to be "the first Prompt Artist Platform in Web3" — with "prompt artist" referring to people who come up with prompts to feed into large language models. More succinctly, it's a platform to sell the NFTs you've made out of AI-generated images.

The platform announced on March 15 that it had suffered a "critical security incident" that it attributed to "a group of hackers" who were able to gain access to funds belonging both to the project's users and the project itself. They did not disclose how much was taken.

The project announced that it was working with the FBI, and had contacted centralized exchanges to ask them to freeze stolen funds.

Someone accidentally burns $1.36 million Tether

Someone accidentally threw away $1.36 million when they accidentally sent Tethers to the Tether contract address — making them permanently inaccessible in a process known as "burning". This is a rather common phenomenon in crypto, where it's easy to accidentally copy/paste the wrong address.

Most experienced crypto users have adopted the habit of sending small test transactions before transferring large amounts of tokens, to first check that they're using the correct address. Oddly, this person did so in this case, but then went right ahead and transferred the remaining tokens to the erroneous address.

The person may have lucked out that they were using a centralized stablecoin like Tether, whose operators hold a substantial amount of control over freezing, destroying, and creating new Tethers — and could feasibly replace the burned tokens.

Mozaic exploited for $2 million, recovers 90%

The "AI-optimized" defi project Mozaic Fi was exploited by an attacker who drained around $2 million in funds from the project.

According to MozaicFi, the theft had been perpetrated by a rogue developer who was able to gain access to a private key held by a core team member. They also claimed that a simultaneous large sale of the Mozaic token resulted in cascading liquidations.

In good news for the project, the attacker moved around 90% of the stolen funds to MEXC, a centralized cryptocurrency exchange that was able to freeze the thief's access to the funds.

MOBOX lending platform exploited for $750,000

The decentralized lending protocol, MOBOX, was exploited on March 14, 2024 after an attacker was able to take advantage of a bug in its referral program and borrowing functionality. By repeatedly borrowing funds and earning rewards, they were able to drain around $750,000 in USDT.

Massachusetts prosecutors seek to seize $2.3 million from crypto romance scam

The U.S. Attorney's Office in the District of Massachusetts announced that they had filed a civil forfeiture action to seize cryptocurrency priced at around $2.3 million from two Binance accounts. Those accounts had received cryptocurrency of various kinds from at least 37 American victims, one of whom was based in Massachusetts and who lost $400,000 in crypto assets to the scammers.

Phishing attack drains $2 million from one victim

An Ethereum holder who had been staking their ETH through a liquid restaking protocol called Ether.fi suffered a 501 ETH (~$2.025 million) loss when they fell victim to a phishing scam. They inadvertently signed a malicious transaction that granted the attacker "increase allowance" permissions, enabling them to siphon almost the entire sum of funds from the wallet. The individual was left with less than $1,500 in the wallet.

Incognito Market drug marketplace pulls multi-million dollar double scam

Since March 5, those who used the Incognito Market darkweb narcotics marketplace have found themselves unable to withdraw the Bitcoin and Monero they had on the platform. It appeared the platform had exit scammed for somewhere between $10 and $30 million.

Making matters worse, on March 10 the website posted a message reading, "Yes, this is an extortion !!" They wrote that, although the platform promised to "auto-encrypt" messages between buyers and sellers, and auto-delete after an expiry date, messages were not encrypted or deleted. They demanded that users pay an additional $100 to $20,000 to have their information removed from the dataset, which they promised to release at the end of May. "Whether or not you and your customers' info is on that list is totally up to you."

The tactic is reminiscent of that of ransomware groups, which often demand double fees: one from victims of hacks first to regain access to their systems, and another in exchange for a promise to destroy stolen data.

Kickstarter's bizarre "pivot to blockchain" spurred by secret $100 million Andreessen Horowitz investment

Web3: a technology so promising you can't even pay a company $100 million to use it.

Crowdfunding website Kickstarter surprised and dismayed many of its users in December 2021 when they announced they would be moving the product to the blockchain in December 2021 for... reasons. That blockchain would just so happen to be the relatively unknown Andreessen Horowitz-backed Celo blockchain. "How this will actually work, beyond Kickstarter being able to yell 'blockchain' like a spell to summon investors ... is unclear," wrote Tom McKay at Gizmodo.

He probably didn't realize how right he was, but now it's been revealed that KickStarter was able to land a $100 million investment from Andreessen Horowitz with handwavy proclamations about the blockchain that its own COO didn't seem to quite understand.

The company seems to have since given up on its blockchain ambitions — in no small part thanks to user revolt. It seems that $100 million windfall didn't include any terms actually requiring Kickstarter to follow through.

Twitter phishers steal over $46 million from 57,000 victims in February

Scam Sniffer's February 2024 report describes 57,000 victims who collectively lost almost $47 million thanks to various phishing schemes on the Twitter platform. Many of the losses came from accounts designed to impersonate various popular cryptocurrency projects, who diverted users to scam websites resembling the real ones.

The largest individual loss was the phishing attack against kirilm.eth, who had over 180 million $BEAM tokens notionally worth over $5 million drained from their crypto wallet. The attacker sold the tokens for around $4.5 million.

The total amount stolen is down slightly from January, in which $55 million was taken. Altogether, scammers have stolen over $100 million via Twitter phishing alone in the first two months of 2024.

Crypto4Winners investment firm claims funds were stolen

A investment firm called Crypto4Winners announced in their Telegram channel that "Our investigations lead us to suspect an individual of committing fraudulent acts that may have compromised the integrity of assets. It is also possible that the current and historical data at our disposal has been tampered with, with a high degree of sophistication."

The company had paused withdrawals the previous day, and has not re-enabled them. They also have not disclosed the amount that was allegedly stolen.

Crypto4Winners claims it has earned 377% returns on customer investments since 2019, producing 3–20% monthly returns.

The company is co-owned by Luc Schiltz, who was sentenced to six years in prison in 2017 for defrauding victims of over $1.5 million through various investment frauds. He was released after two years, and quickly started the Crypto4Winners project after.